| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] firewalls and Xen
You are right, physin/physout should do the trick for well behaved
interfaces and bridges (I am relatively new to firehol). The problem is
that the xen interfaces don't seem to be entirely normal:
http://lists.xensource.com/archives/html/xen-users/2006-01/msg00684.html
Not sure if this would break bridge filtering, but it should give you
hint if things continue to not work.
FYI I am implementing a firewall using firehol in a domU. It has 3
interfaces which are plugged into 3 bridges in my dom0 (internet, lan,
and dmz). Only 2 of the bridges connect to physical ethernet interfaces
(internet, lan); the other one is meant for routing to dmz domU's only.
My setup is not complete but partial tests are showing good results.
Cheers,
Dan.
Luke wrote:
On Feb 14, 2006, at 10:27 AM, Daniel Goertzen wrote:
I'm not sure if it makes sense to include peth0 and vif0.0 in your
rules, as you mucking around with interfaces that are in the same
bridge.
Isn't this what the bridge interface filtering tools are for? If I
can just figure out when packets go through each interface, I should
be able to do it (see IPTables or Firehol's physin/physout commands).
If you're just trying to firewall dom0 you should do something like:
I need to do more than that, however.
Blocking traffic to the domU: Think of the domU as sitting on the
same lan that dom0's eth0 is connected to. Add rules to block
traffic from domU's IP address. If you *really* want to filter by
interface, you might want to think about using xen's routed
configuration instead of the bridged config.
I'd really rather not introduce that complication, since all I need
to figure out is which virtual interfaces these types of packets go
from/to. Plus, I'd really like to understand the packet flow through
Xen's dom0 and domUs
Thanks
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home